Bit Chat: A Peer-to-Peer Instant Messenger
|
|
- Hilda Webb
- 8 years ago
- Views:
Transcription
1 Bit Chat: A Peer-to-Peer Instant Messenger Shreyas Zare shreyas@technitium.com December 20, 2015 Abstract. Bit Chat is a peer-to-peer instant messaging concept, allowing one-to-one or group instant messaging & file sharing, using a decentralized peer-to-peer protocol, end-to-end encryption and a trust based peer identification system. Users communicate by forming a full mesh network topology after discovering peer IP addresses to connect using Bit Torrent trackers and Distributed Hash Table (DHT). The system s purpose is to have a secure instant messaging platform for privacy and security. 1. Introduction Bit Chat is a secure, peer-to-peer, open source instant messenger designed to provide end-to-end encryption that can be used over Internet and private LAN networks for instant messaging and file sharing. The implementation allows ubiquitous and automatic encryption available to all users without them needing to understand the complexities involved. Most instant messaging platforms use a centralized architecture allowing users to connect to the network and exchange messages while the service provider of such messaging platforms can collect metadata and even retain copy of messages (when end-to-end encryption is not available). Even while having an end-to-end encryption protocol support, the user has to trust and depend upon the messaging service provider for initial contact and key exchange, and still give away metadata such as when and with whom the user chats with. However, by being a peer-to-peer messaging platform, Bit Chat users connect to each other directly to exchange messages over an end-to-end encrypted channel. Each Bit Chat user needs to do a onetime registration for an address validated digital profile certificate which is used by the peer-to-peer protocol to authenticate peers on both sides of the channel. Bit Chat does not have any type of contact management system to invite a user to chat. A user will have to make initial contact to the peer via an or any other communication channel available, and provide the chat group name or address to be able to chat. Bit Chat uses an algorithm to generate a network ID based on the chat group name or peer address, and an optional shared secret. This
2 network ID is used as an identifier for finding peer IP addresses using Bit Torrent trackers and Distributed Hash Table (DHT). Not having to manage contacts of each peer helps in reducing the metadata footprint at the messaging service provider end. Since there is no centralized mechanism for message routing, a user can exchange messages with a peer only when that peer is online, that is, there is no offline messaging facility available. Similarly, there is no method to find out if a user left the chat forever or went offline. Bit Chat is open source and source code is available on GitHub [1] under GNU GPLv3 License [2]. 2. Peer-to-Peer Protocol The Bit Chat peer-to-peer protocol works over TCP protocol for making direct connections between peers. Each peer acts both as a client and server, accepting incoming connections and making outbound connections. A Peer listens on any available random TCP port for accepting incoming connections and advertises both IP address and port number to be discovered by other peers. A peer can also act as a TCP relay and allow peers, who are behind a Network Address Translation (NAT) or Firewall device, to accept incoming virtual TCP connection. The peer-to-peer protocol in itself is a stack of three different protocol layers. The Connection Layer forms the base of the protocol responsible to make and accept TCP connections from peers, allows creating virtual channel streams, and provides TCP relay functionality. Virtual channel streams feature allows a single TCP connection to be split into multiple virtual connections which are identified by a channel name. These virtual channel streams are further secured using the secure channel protocol. These secured virtual channel streams provide end-to-end encrypted tunnel from one peer to another for transporting Bit Chat messages. Each Bit Chat network needs a separate secure channel stream connection for each peer in the chat group forming a full mesh network topology. The connection initiating peer requires opening a virtual data channel to a Bit Chat network identified by network ID. This network ID is generated by each peer using the chat group name or peer address, and an optional shared secret. A channel name is further generated using peer ID parameters from the connection handshake protocol and the network ID. This channel name is then used to open the virtual data channel, secured by the Secure Channel protocol, required to exchange Bit Chat messages. Bit Chat Message Secure Channel Connection Layer Protocol Stack
3 2.1. Connection Layer Connection layer uses signal frame for control and to initiate virtual channel streams. Data frame are used for transferring data in virtual channel stream. When a peer connects to another peer over TCP connection, a connection handshake protocol is initiated. The handshake protocol is designed to detect duplicate TCP connections using peer ID. A peer ID (20 bytes) is a randomly generated identifier by each peer during application startup. The service port number is the TCP port number that the client is listening on for accepting incoming connections. SERVER CLIENT <---- version, service port, client peer id status (ok/cancel), server peer id ----> Connection Handshake Protocol Signal (8 bits) Channel Name // (160 bits) // Connection Signal Frame Signal (8 bits) Channel Name // (160 bits) // Type (8 bits) Data Length (16 bits) // Data // Connection Data Frame
4 2.2. Secure Channel A secure channel provides end-to-end encryption and authentication layer to the virtual channel stream underneath it. Both peers are required to exchange digital profile certificate to authenticate each other before the secure channel is ready for data exchange. The secure channel protocol encrypts the digital profile certificate in transit, preventing identity disclosure to passive sniffing attacks at network level. An optional pre-shared key (PSK) can be used to strengthen the protocol and avoid certificate disclosure to an active attacker during certificate exchange. The protocol also provides master key re-negotiation feature which when triggered by any peer will start secure channel key exchange and a new master key will be negotiated. Re-negotiation can be triggered automatically by any of the peers on the basis of time the channel is open or the amount of data exchanged. The protocol implements Perfect Forward Secrecy (PFS) using Diffie Hellman (DHE 2048 bits) or Elliptic Curve Diffie Hellman (ECDHE 256 bits) depending on the handshake selection process. For authentication, RSA (4096 bits) signed digital profile certificate is used. The data transmitted is encrypted by AES (256 bits) in CBC mode Code (8 bits) Length : : (16 bits) Protocol Data \\ (Length 3) bytes \\ Secure Channel Control Packet Length (16 bits) Flags (8 bits) Data (Length 3) bytes \\ \\ +================================+ HMAC-SHA256 (encrypt-then-mac) \\ (256 bits) \\ Secure Channel Data Packet
5 SERVER CLIENT version ---> <--- version supported server nonce + selected crypto option (hello) ---> client nonce + <--- crypto options (hello) ephemeral public key + signature ---> <--- ephemeral public key + signature master key = HMACSHA256(client hello + server hello, derived key) master key = HMACSHA256(HMACSHA256(client hello + server hello, PSK), derived key) OR HMACSHA256(client hello, master key) ---> <--- HMACSHA256(server hello, master key) verify master key using HMAC authentication & enable encryption certificate ---> <--- certificate verify certificate and ephemeral public key signature & start data exchange data <--> data Secure Channel Protocol
6 Data exchanged after the secure channel establishment is sent as a stream of encrypted packets. Each data packet implements authenticated encryption (encrypt-then-mac) using HMAC-SHA256. The complete data packet, including the 3 byte header fields, is encrypted and then HMAC (encrypted packet, master key) is appended to the packet Bit Chat Message The Bit Chat Message protocol is used to send text messages, exchange peer information, send keepalive (NOOP) messages, share files and send notifications. These messages are sent to all the peers connected to the Bit Chat network via a secure channel. The message MUST begin with the message type (8 bit) field. Each type of message has its own message format. The file sharing feature provided using Bit Chat messages works similar to Bit Torrent file sharing but only for the close group of people connected to the chat network. The file being shared is split into blocks and a file advertisement containing file name, size, hash, and a table of blocks with their hash is sent to each peer connected to the chat network. Peers participating in the file transfer process exchange file blocks with each other such that the peer having the original file does not have to transfer the complete file to each peer individually. Each file block received is verified by hashing received data and comparing it to the hash listed in block table in the file advertisement. Once a peer has all the file blocks downloaded, it keeps sharing the blocks with other peers in need. This allows the initial file sharing peer to go offline once the file is available with another peer in the chat network. 3. Peer Discovery Bit Chat does not depend upon any centralized mechanism to find peer information like IP address and TCP port number. In this regards, it works similar to Bit Torrent client and even uses torrent trackers to find peer information. Both HTTP [9] and UDP [10] versions of the torrent tracker protocol are supported. Bit Chat also implements a Kademlia [8] based Distributed Hash Table (DHT) for finding peer information. Apart from torrent trackers and DHT, Bit Chat uses IPv4 broadcast and IPv6 multicast options to find peers on the same Local Area Network (LAN). A Bit Torrent client uses infohash to track/find peers to participate in file transfer. Similarly, Bit Chat client uses network ID, corresponding to a unique Bit Chat network, using which peers can find each other. When peer contact information is discovered, the peer-to-peer protocol begins to work. Once Bit Chat peers are connected to each other, they exchange list of connected peers, allowing the opposite peer to know which other peers need to be connected in order to complete the full mesh network topology. It also has a trigger update mechanism which notifies other peers when a new peer is connected or disconnected allowing quick formation of a full mesh. The discovered DHT nodes are used by Bit Chat as TCP relays due to the fact that an active DHT node can accept incoming TCP connections. Three nodes are chosen from the list of available DHT nodes to be connected and used as a relay for accepting incoming virtual connections.
7 Bit Chat may require around a minute s time to discover and connect to all peers to a chat network unlike in a centralized messaging system where a user becomes online almost instantaneously to other peers. 4. Profile & Profile Certificate Profile certificate is a digital certificate issued to each Bit Chat user upon registration by a certification authority run by Technitium. Bit Chat clients have a hard coded root certificate which is used to verify the chain of certificates. Certificates are issued only after an address verification process and are essentially address verified digital certificates. The profile certificate is exchanged with each peer in the Bit Chat network during the secure channel handshake and it contains all the details that the user provided during the registration process. Profile certificate use RSA (4096 bit) key pair which the Bit Chat client can automatically generate or the user can import externally generated RSA key pair in PEM format during registration. The RSA private key parameters and Bit Chat client settings are stored in an encrypted local file called as the Profile file. This user profile file is encrypted by AES (256 bits) using a profile password that user is required to enter during registration. Key derivation algorithm PBKDF2 [12] with HMAC-SHA256 and 200,000 iterations is used to generate the AES encryption key from the user provided profile password. User needs to enter the profile password each time to start Bit Chat with the selected profile file. Since there is no alternate way to access the encrypted profile data without the profile password, in case the user forgets the password, a new profile has to be registered by the user to continue using Bit Chat with the same address. The profile file can be moved or copied to another computer to be used with Bit Chat. Bit Chat also supports using multiple computers running Bit Chat client with the same profile file and allows chatting using any of those available computers. An address can be used to issue only one profile certificate at a time and the certificate issuing system has a revocation mechanism to allow revoking previously issued certificate which gets automatically triggered when another successful registration for the same address is done. This trust based system was chosen to allow people to use something they already have (an address) to be used as an identifier in the peer-to-peer network. Any other peer-to-peer system that manages peer contacts requires the user to trust the system for initial contact in order to get a peer s public key or an identifier. Any peer-to-peer system that does not have a trust based system to authenticate a user is inherently vulnerable to social engineering attacks since the user needs to trust the peer on the other end with insufficient information. Meeting in person or over voice call to exchange contact info or verify identifiers may not be feasible or may be error prone [7].
8 5. Privacy Bit Chat profile certificate registration is the only service which Technitium provides and hence knows the information provided during registration. The same registration information is stored inside the profile certificate which can be viewed by any peer the user chats with. Essentially, a user is sharing the same information with the registration authority and the other peers. It is recommended to the user to provide information brief enough to allow other peers to identify him/her. The RSA private key parameters and the profile encryption password are known only by the user. A detailed privacy policy document is available on the Bit Chat website [3]. Bit Chat supports using HTTP proxy and SOCKS v5 proxy protocols which can be used to hide IP address during registration and chatting. Similarly, user can use any available VPN service to hide IP address. Bit Chat can also be configured to use Tor network by using SOCKS v5 support [4]. User can only make outbound connection via proxy to another peer who can accept incoming connections. If both users configure proxy then they will have to rely on the availability of TCP relay nodes for accepting incoming connection. Bit Chat network ID is used to discover peers using Bit Torrent trackers and DHT. Any adversary who can figure out the network ID can find a list of peer end points (IP address & port number) and use that info. The network ID is generated using the chat group name or peer address, and an optional shared secret. When no shared secret is used, network ID can be generated by guessing the group name or peer address. Thus it is useful to set a shared secret; even a simple one should do a good job. While using Bit Chat, the message routing is done peer-to-peer and hence there is no metadata collection is possible by Technitium. The peer-to-peer connections shall take the shortest path available such that users who are using same Internet Service Provider (ISP) will have their data being routed within the same ISP network. Messages of users on a private LAN network will never leave the local network. However, it is possible for ISPs to log metadata of TCP connections (like source & destination IP addresses) that are being routed via the networks they control. Any attacker capable of doing passive network sniffing of the network being used by the peer-to-peer connection can log the TCP source & destination IP addresses. The data transferred using Bit Chat over any network shall be end-to-end encrypted with Perfect Forward Secrecy (PFS) in any case. It should be noted that any peer the user chats with, can view the user s IP address and similarly the user too can view each peer s IP address. This is due to the fact that all peers are connected to each other directly by a TCP connection. 6. Conclusion Bit Chat provides a simple to use, secure, peer-to-peer, alternative instant messaging platform with endto-end encryption for people and organizations who are concerned about their privacy and security. Using techniques similar to a Bit Torrent client, a fully peer-to-peer instant messaging network is possible and scalable without requiring much investment to maintain the service availability.
9 References [1] Bit Chat Source Code on GitHub, [2] Technitium Bit Chat License Agreement, [3] Technitium Bit Chat Privacy Policy, [4] How to Configure Bit Chat to Use Tor Network, [5] Bruce Schneier, Why We Encrypt, [6] Glenn Greenwald, Why privacy matters, [7] User Error Compromises Many Encrypted Communication Apps, [8] Petar Maymounkov and David Mazieres, Kademlia: A Peer-to-Peer Information System Based on the XOR Metric, [9] Bit Torrent Tracker Protocol, [10] UDP Tracker Protocol for Bit Torrent, [11] Bit Torrent Protocol Specification, [12] PKCS #5: Password-Based Cryptography Specification Version 2.0,
Client Server Registration Protocol
Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are
More informationSync Security and Privacy Brief
Introduction Security and privacy are two of the leading issues for users when transferring important files. Keeping data on-premises makes business and IT leaders feel more secure, but comes with technical
More informationAPNIC elearning: IPSec Basics. Contact: training@apnic.net. esec03_v1.0
APNIC elearning: IPSec Basics Contact: training@apnic.net esec03_v1.0 Overview Virtual Private Networks What is IPsec? Benefits of IPsec Tunnel and Transport Mode IPsec Architecture Security Associations
More informationSecure Sockets Layer
SSL/TLS provides endpoint authentication and communications privacy over the Internet using cryptography. For web browsing, email, faxing, other data transmission. In typical use, only the server is authenticated
More informationIPsec VPN Security between Aruba Remote Access Points and Mobility Controllers
IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers Application Note Revision 1.0 10 February 2011 Copyright 2011. Aruba Networks, Inc. All rights reserved. IPsec VPN Security
More informationChapter 7 Transport-Level Security
Cryptography and Network Security Chapter 7 Transport-Level Security Lectured by Nguyễn Đức Thái Outline Web Security Issues Security Socket Layer (SSL) Transport Layer Security (TLS) HTTPS Secure Shell
More informationCommunication Security for Applications
Communication Security for Applications Antonio Carzaniga Faculty of Informatics University of Lugano March 10, 2008 c 2008 Antonio Carzaniga 1 Intro to distributed computing: -server computing Transport-layer
More informationInternet Privacy Options
2 Privacy Internet Privacy Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 19 June 2014 Common/Reports/internet-privacy-options.tex, r892 1 Privacy Acronyms
More informationUse Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W
Article ID: 5037 Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W Objective IPSec VPN (Virtual Private Network) enables you to securely obtain remote resources by establishing
More informationCommunication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009
16 th lecture Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009 1 25 Organization Welcome to the New Year! Reminder: Structure of Communication Systems lectures
More informationSecurity Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)
Security Protocols Security Protocols Necessary to communicate securely across untrusted network Provide integrity, confidentiality, authenticity of communications Based on previously discussed cryptographic
More informationSecurity Policy Revision Date: 23 April 2009
Security Policy Revision Date: 23 April 2009 Remote Desktop Support Version 3.2.1 or later for Windows Version 3.1.2 or later for Linux and Mac 4 ISL Light Security Policy This section describes the procedure
More informationReal-Time Communication Security: SSL/TLS. Guevara Noubir noubir@ccs.neu.edu CSU610
Real-Time Communication Security: SSL/TLS Guevara Noubir noubir@ccs.neu.edu CSU610 1 Some Issues with Real-time Communication Session key establishment Perfect Forward Secrecy Diffie-Hellman based PFS
More information7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?
7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk
More informationIP Security. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49
IP Security Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security
More informationCommunication Systems SSL
Communication Systems SSL Computer Science Organization I. Data and voice communication in IP networks II. Security issues in networking III. Digital telephony networks and voice over IP 2 Network Security
More informationTLS and SRTP for Skype Connect. Technical Datasheet
TLS and SRTP for Skype Connect Technical Datasheet Copyright Skype Limited 2011 Introducing TLS and SRTP Protocols help protect enterprise communications Skype Connect now provides Transport Layer Security
More informationReadyNAS Remote White Paper. NETGEAR May 2010
ReadyNAS Remote White Paper NETGEAR May 2010 Table of Contents Overview... 3 Architecture... 3 Security... 4 Remote Firewall... 5 Performance... 5 Overview ReadyNAS Remote is a software application that
More informationCCNA Security 1.1 Instructional Resource
CCNA Security 1.1 Instructional Resource Chapter 8 Implementing Virtual Private Networks 2012 Cisco and/or its affiliates. All rights reserved. 1 Describe the purpose and types of VPNs and define where
More informationSecure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213
Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213 UNCLASSIFIED Example http ://www. greatstuf f. com Wants credit card number ^ Look at lock on browser Use https
More informationChapter 4 Virtual Private Networking
Chapter 4 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FVL328 Firewall. VPN tunnels provide secure, encrypted communications between
More informationCase Study for Layer 3 Authentication and Encryption
CHAPTER 2 Case Study for Layer 3 Authentication and Encryption This chapter explains the basic tasks for configuring a multi-service, extranet Virtual Private Network (VPN) between a Cisco Secure VPN Client
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. The features in this chapter apply to IPv4 and IPv6 unless otherwise noted. Secure
More informationChapter 6 CDMA/802.11i
Chapter 6 CDMA/802.11i IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 Some material copyright 1996-2012 J.F Kurose and K.W. Ross,
More informationChapter 10. Network Security
Chapter 10 Network Security 10.1. Chapter 10: Outline 10.1 INTRODUCTION 10.2 CONFIDENTIALITY 10.3 OTHER ASPECTS OF SECURITY 10.4 INTERNET SECURITY 10.5 FIREWALLS 10.2 Chapter 10: Objective We introduce
More informationNetwork Security Essentials Chapter 5
Network Security Essentials Chapter 5 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 5 Transport-Level Security Use your mentality Wake up to reality From the song, "I've Got
More informationUnderstanding the Cisco VPN Client
Understanding the Cisco VPN Client The Cisco VPN Client for Windows (referred to in this user guide as VPN Client) is a software program that runs on a Microsoft Windows -based PC. The VPN Client on a
More informationTransport Level Security
Transport Level Security Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/
More information12/8/2015. Review. Final Exam. Network Basics. Network Basics. Network Basics. Network Basics. 12/10/2015 Thursday 5:30~6:30pm Science S-3-028
Review Final Exam 12/10/2015 Thursday 5:30~6:30pm Science S-3-028 IT443 Network Security Administration Instructor: Bo Sheng True/false Multiple choices Descriptive questions 1 2 Network Layers Application
More informationGuidance Regarding Skype and Other P2P VoIP Solutions
Guidance Regarding Skype and Other P2P VoIP Solutions Ver. 1.1 June 2012 Guidance Regarding Skype and Other P2P VoIP Solutions Scope This paper relates to the use of peer-to-peer (P2P) VoIP protocols,
More informationViewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355
VPN This chapter describes how to configure Virtual Private Networks (VPNs) that allow other sites and remote workers to access your network resources. It includes the following sections: About VPNs, page
More informationRelease Notes. NCP Secure Client Juniper Edition. 1. New Features and Enhancements. 2. Problems Resolved
NCP Secure Client Juniper Edition Service Release: 9.30 Build 102 Date: February 2012 1. New Features and Enhancements The following describe the new features introduced in this release: Visual Feedback
More informationCrypho Security Whitepaper
Crypho Security Whitepaper Crypho AS Crypho is an end-to-end encrypted enterprise messenger and file-sharing application. It achieves strong privacy and security using well-known, battle-tested encryption
More informationFireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway
Fireware How To VPN How do I set up a manual branch office VPN tunnel? Introduction You use Branch Office VPN (BOVPN) with manual IPSec to make encrypted tunnels between a Firebox and a second IPSec-compliant
More informationRelease Notes. NCP Secure Entry Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3. Known Issues
NCP Secure Entry Mac Client Service Release 2.05 Build 14711 December 2013 Prerequisites Apple OS X Operating System: The following Apple OS X operating system versions are supported with this release:
More informationWeb Security Considerations
CEN 448 Security and Internet Protocols Chapter 17 Web Security Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa
More informationSecurity. Learning Objectives. This module will help you...
Security 5-1 Learning Objectives This module will help you... Understand the security infrastructure supported by JXTA Understand JXTA's use of TLS for end-to-end security 5-2 Highlights Desired security
More information1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies
1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies Dave Corbett Technical Product Manager Implementing Forward Secrecy 1 Agenda Part 1: Introduction Why is Forward Secrecy important?
More information, ) I Transport Layer Security
Secure Sockets Layer (SSL, ) I Transport Layer Security _ + (TLS) Network Security Products S31213 UNCLASSIFIED Location of SSL -L Protocols TCP Ethernet IP SSL Header Encrypted SSL data= HTTP " Independent
More informationINTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli 4-25-2002
INTERNET SECURITY: FIREWALLS AND BEYOND Mehernosh H. Amroli 4-25-2002 Preview History of Internet Firewall Technology Internet Layer Security Transport Layer Security Application Layer Security Before
More informationCornerstones of Security
Internet Security Cornerstones of Security Authenticity the sender (either client or server) of a message is who he, she or it claims to be Privacy the contents of a message are secret and only known to
More informationFinal exam review, Fall 2005 FSU (CIS-5357) Network Security
Final exam review, Fall 2005 FSU (CIS-5357) Network Security Instructor: Breno de Medeiros 1. What is an insertion attack against a NIDS? Answer: An insertion attack against a network intrusion detection
More information12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust
Security in Wireless LANs and Mobile Networks Wireless Magnifies Exposure Vulnerability Information going across the wireless link is exposed to anyone within radio range RF may extend beyond a room or
More informationThe BANDIT Products in Virtual Private Networks
encor! enetworks TM Version A.1, March 2010 2010 Encore Networks, Inc. All rights reserved. The BANDIT Products in Virtual Private Networks One of the principal features of the BANDIT products is their
More informationRelease Notes. NCP Secure Entry Mac Client. Major Release 2.01 Build 47 May 2011. 1. New Features and Enhancements. Tip of the Day
NCP Secure Entry Mac Client Major Release 2.01 Build 47 May 2011 1. New Features and Enhancements Tip of the Day A Tip of the Day field for configuration tips and application examples is incorporated in
More informationThe Secure Sockets Layer (SSL)
Due to the fact that nearly all businesses have websites (as well as government agencies and individuals) a large enthusiasm exists for setting up facilities on the Web for electronic commerce. Of course
More informationConfiguring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router
print email Article ID: 4938 Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router Objective Virtual Private
More informationNetwork Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide
Network Security [2] Public Key Encryption Also used in message authentication & key distribution Based on mathematical algorithms, not only on operations over bit patterns (as conventional) => much overhead
More informationChapter 5: Network Layer Security
Managing and Securing Computer Networks Guy Leduc Mainly based on Network Security - PRIVATE Communication in a PUBLIC World C. Kaufman, R. Pearlman, M. Speciner Pearson Education, 2002. (chapters 17 and
More informationChapter 17. Transport-Level Security
Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics
More informationConnected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)
Cryptelo Drive Cryptelo Drive is a virtual drive, where your most sensitive data can be stored. Protect documents, contracts, business know-how, or photographs - in short, anything that must be kept safe.
More informationCryptography and Network Security Sicurezza delle reti e dei sistemi informatici SSL/TSL
Cryptography and Network Security Sicurezza delle reti e dei sistemi informatici SSL/TSL Security architecture and protocol stack Applicat. (SHTTP) SSL/TLS TCP IPSEC IP Secure applications: PGP, SHTTP,
More informationVPN. Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu
VPN Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu What is VPN? A VPN (virtual private network) is a private data network that uses public telecommunicating infrastructure (Internet), maintaining
More informationNapster and Gnutella: a Comparison of two Popular Peer-to-Peer Protocols. Anthony J. Howe Supervisor: Dr. Mantis Cheng University of Victoria
Napster and Gnutella: a Comparison of two Popular Peer-to-Peer Protocols Anthony J Howe Supervisor: Dr Mantis Cheng University of Victoria February 28, 2002 Abstract This article presents the reverse engineered
More informationIPsec Details 1 / 43. IPsec Details
Header (AH) AH Layout Other AH Fields Mutable Parts of the IP Header What is an SPI? What s an SA? Encapsulating Security Payload (ESP) ESP Layout Padding Using ESP IPsec and Firewalls IPsec and the DNS
More informationIT Networks & Security CERT Luncheon Series: Cryptography
IT Networks & Security CERT Luncheon Series: Cryptography Presented by Addam Schroll, IT Security & Privacy Analyst 1 Outline History Terms & Definitions Symmetric and Asymmetric Algorithms Hashing PKI
More informationSANE: A Protection Architecture For Enterprise Networks
Fakultät IV Elektrotechnik und Informatik Intelligent Networks and Management of Distributed Systems Research Group Prof. Anja Feldmann, Ph.D. SANE: A Protection Architecture For Enterprise Networks WS
More informationUsing etoken for SSL Web Authentication. SSL V3.0 Overview
Using etoken for SSL Web Authentication Lesson 12 April 2004 etoken Certification Course SSL V3.0 Overview Secure Sockets Layer protocol, version 3.0 Provides communication privacy over the internet. Prevents
More informationVirtual Private Networks (VPN) Connectivity and Management Policy
Connectivity and Management Policy VPN Policy for Connectivity into the State of Idaho s Wide Area Network (WAN) 02 September 2005, v1.9 (Previous revision: 14 December, v1.8) Applicability: All VPN connections
More informationVPN Configuration Guide. Dell SonicWALL
VPN Configuration Guide Dell SonicWALL 2013 equinux AG and equinux USA, Inc. All rights reserved. Under copyright law, this manual may not be copied, in whole or in part, without the written consent of
More informationVPN. VPN For BIPAC 741/743GE
VPN For BIPAC 741/743GE August, 2003 1 The router supports VPN to establish secure, end-to-end private network connections over a public networking infrastructure. There are two types of VPN connections,
More informationFig. 4.2.1: Packet Filtering
4.2 Types of Firewalls /DKo98/ FIREWALL CHARACTERISTICS 1. All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by physically blocking all access to the
More informationSecurity. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1
Contents Security requirements Public key cryptography Key agreement/transport schemes Man-in-the-middle attack vulnerability Encryption. digital signature, hash, certification Complete security solutions
More informationChapter 4: Security of the architecture, and lower layer security (network security) 1
Chapter 4: Security of the architecture, and lower layer security (network security) 1 Outline Security of the architecture Access control Lower layer security Data link layer VPN access Wireless access
More informationINF3510 Information Security University of Oslo Spring 2011. Lecture 9 Communication Security. Audun Jøsang
INF3510 Information Security University of Oslo Spring 2011 Lecture 9 Communication Security Audun Jøsang Outline Network security concepts Communication security Perimeter security Protocol architecture
More informationRecent (2014) vulnerabilities in SSL implementations. Leiden University. The university to discover.
Recent (2014) vulnerabilities in SSL implementations Introduction We will discuss two vulnerabilities in SSL implementations that were found in 2014: The Apple bug, affecting recent Mac OS X and ios devices.
More informationUsing BroadSAFE TM Technology 07/18/05
Using BroadSAFE TM Technology 07/18/05 Layers of a Security System Security System Data Encryption Key Negotiation Authentication Identity Root Key Once root is compromised, all subsequent layers of security
More informationCS 356 Lecture 27 Internet Security Protocols. Spring 2013
CS 356 Lecture 27 Internet Security Protocols Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationCGHub Client Security Guide Documentation
CGHub Client Security Guide Documentation Release 3.1 University of California, Santa Cruz April 16, 2014 CONTENTS 1 Abstract 1 2 GeneTorrent: a secure, client/server BitTorrent 2 2.1 GeneTorrent protocols.....................................
More informationHTTP Reverse Proxy Scenarios
Sterling Secure Proxy HTTP Reverse Proxy Scenarios Version 3.4 Sterling Secure Proxy HTTP Reverse Proxy Scenarios Version 3.4 Note Before using this information and the product it supports, read the information
More informationI2P - The Invisible Internet Project
Felipe Astolfi fastolfi@gmail.com I2P - The Invisible Internet Project Jelger Kroese jelgerkroese@gmail.com Jeroen van Oorschot post@jeroenvanoorschot.nl ABSTRACT I2P is an open source Internet technology
More informationHughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R
HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R HughesNet Managed Broadband Network Services include a high level of end-toend security utilizing a robust architecture designed by
More informationBlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note
BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise
More informationInternet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering
Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls
More informationArchitecture and Data Flow Overview. BlackBerry Enterprise Service 10 721-08877-123 Version: 10.2. Quick Reference
Architecture and Data Flow Overview BlackBerry Enterprise Service 10 721-08877-123 Version: Quick Reference Published: 2013-11-28 SWD-20131128130321045 Contents Key components of BlackBerry Enterprise
More informationaxsguard Gatekeeper IPsec XAUTH How To v1.6
axsguard Gatekeeper IPsec XAUTH How To v1.6 Legal Notice VASCO Products VASCO data Security, Inc. and/or VASCO data Security International GmbH are referred to in this document as 'VASCO'. VASCO Products
More informationInternet Protocol: IP packet headers. vendredi 18 octobre 13
Internet Protocol: IP packet headers 1 IPv4 header V L TOS Total Length Identification F Frag TTL Proto Checksum Options Source address Destination address Data (payload) Padding V: Version (IPv4 ; IPv6)
More informationDeployment Scenarios
Deployment Scenarios Sun Cobalt Summary The Sun Cobalt is a network-based appliance for managing a large number of remote servers and for deploying services to these servers. A control station is deployed
More informationIntroduction to IP v6
IP v 1-3: defined and replaced Introduction to IP v6 IP v4 - current version; 20 years old IP v5 - streams protocol IP v6 - replacement for IP v4 During developments it was called IPng - Next Generation
More informationVirtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance
Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance Johnnie Chen Project Manager of Network Security Group Network Benchmarking Lab Network Benchmarking Laboratory
More information18-731 Midterm. Name: Andrew user id:
18-731 Midterm 6 March 2008 Name: Andrew user id: Scores: Problem 0 (10 points): Problem 1 (10 points): Problem 2 (15 points): Problem 3 (10 points): Problem 4 (20 points): Problem 5 (10 points): Problem
More informationIP Ports and Protocols used by H.323 Devices
IP Ports and Protocols used by H.323 Devices Overview: The purpose of this paper is to explain in greater detail the IP Ports and Protocols used by H.323 devices during Video Conferences. This is essential
More informationIntro to Firewalls. Summary
Topic 3: Lesson 2 Intro to Firewalls Summary Basic questions What is a firewall? What can a firewall do? What is packet filtering? What is proxying? What is stateful packet filtering? Compare network layer
More informationSecure Socket Layer (SSL) and Transport Layer Security (TLS)
Secure Socket Layer (SSL) and Transport Layer Security (TLS) Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available
More informationCrashPlan Security SECURITY CONTEXT TECHNOLOGY
TECHNICAL SPECIFICATIONS CrashPlan Security CrashPlan is a continuous, multi-destination solution engineered to back up mission-critical data whenever and wherever it is created. Because mobile laptops
More informationLecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References
Lecture Objectives Wireless Networks and Mobile Systems Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks Introduce security vulnerabilities and defenses Describe security functions
More informationAnalyzing the Security Schemes of Various Cloud Storage Services
Analyzing the Security Schemes of Various Cloud Storage Services ECE 646 Project Presentation Fall 2014 12/09/2014 Team Members Ankita Pandey Gagandeep Singh Bamrah Pros and Cons of Cloud Storage Services
More informationCS 494/594 Computer and Network Security
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Exercise: Chapters 13, 15-18 18 1. [Kaufman] 13.1
More informationNetwork Security Part II: Standards
Network Security Part II: Standards Raj Jain Washington University Saint Louis, MO 63131 Jain@cse.wustl.edu These slides are available on-line at: http://www.cse.wustl.edu/~jain/cse473-05/ 18-1 Overview
More informationAsymetrical keys. Alices computer generates a key pair. A public key: XYZ123345 (Used to encrypt) A secret key: ABC98765 (Used to decrypt)
Encryption keys Symmetrical keys Same key used for encryption and decryption Exchange of symmetrical keys between parties difficult without risk of interception Asymmetrical keys One key for encryption
More informationSSL BEST PRACTICES OVERVIEW
SSL BEST PRACTICES OVERVIEW THESE PROBLEMS ARE PERVASIVE 77.9% 5.2% 19.2% 42.3% 77.9% of sites are HTTP 5.2% have an incomplete chain 19.2% support weak/insecure cipher suites 42.3% support SSL 3.0 83.1%
More informationConfiguring an IPsec VPN to provide ios devices with secure, remote access to the network
Configuring an IPsec VPN to provide ios devices with secure, remote access to the network This recipe uses the IPsec VPN Wizard to provide a group of remote ios users with secure, encrypted access to the
More informationEfficient Nonce-based Authentication Scheme for. session initiation protocol
International Journal of Network Security, Vol.9, No.1, PP.12 16, July 2009 12 Efficient Nonce-based Authentication for Session Initiation Protocol Jia Lun Tsai Degree Program for E-learning, Department
More informationConfigure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1
Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1 This document describes how to configure an IPSec tunnel between a WatchGuard Firebox Vclass appliance (Vcontroller version
More informationHow To Understand And Understand The Ssl Protocol (Www.Slapl) And Its Security Features (Protocol)
WEB Security: Secure Socket Layer Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - COMP581 - L22 1 Outline of this Lecture Brief Information on SSL and TLS Secure Socket Layer (SSL) Transport Layer Security
More informationRemote Connectivity for mysap.com Solutions over the Internet Technical Specification
Remote Connectivity for mysap.com Solutions over the Technical Specification June 2009 Remote Connectivity for mysap.com Solutions over the page 2 1 Introduction SAP has embarked on a project to enable
More informationSkype network has three types of machines, all running the same software and treated equally:
What is Skype? Why is Skype so successful? Everybody knows! Skype is a P2P (peer-to-peer) Voice-Over-IP (VoIP) client founded by Niklas Zennström and Janus Friis also founders of the file sharing application
More informationIP Networking. Overview. Networks Impact Daily Life. IP Networking - Part 1. How Networks Impact Daily Life. How Networks Impact Daily Life
Overview Dipl.-Ing. Peter Schrotter Institute of Communication Networks and Satellite Communications Graz University of Technology, Austria Fundamentals of Communicating over the Network Application Layer
More informationTor Anonymity Network & Traffic Analysis. Presented by Peter Likarish
Tor Anonymity Network & Traffic Analysis Presented by Peter Likarish This is NOT the presenter s original work. This talk reviews: Tor: The Second Generation Onion Router Dingledine, Mathewson, Syverson
More informationVPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright 2007-2015 Palo Alto Networks
VPNs Palo Alto Networks PAN-OS Administrator s Guide Version 6.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us
More information